The case, Sandvig v. Barr, is a lawsuit by university professors, computer scientists, and journalists who want to research how algorithms unlawfully discriminate based on characteristics like race or gender. To determine whether algorithms produce discriminatory results, the researchers want to create multiple “tester” accounts. For example, to study the impact of gender on an employment website's algorithms, a researcher may create tester accounts that are identical except as to their listed gender, to isolate the effect that users’ gender has on the job postings that an algorithm provides them.

This type of audit testing is commonly used to identify discrimination in the offline world, including by the federal government itself. But when these kinds of studies move online, researchers have been concerned—and in some cases chilled—by the prospect of federal criminal liability. This is because online discrimination research sometimes involves violating a website’s terms of service, such as a prohibition against providing inaccurate account information. And the government interprets the CFAA, a law meant to target serious computer breaks-ins, so broadly that it would turn a violation of a website’s terms of service into a federal crime.

If you’re not familiar with the CFAA, you may be wondering how is it possible that a law meant to target serious computer breaks-ins is being abused to target violations of websites’ terms of service. The CFAA makes it a crime to “access a computer without authorization” or in a manner that “exceeds authorization.” But the law doesn’t make clear what these phrases mean. Though the law was intended to address malicious break-ins of private computer systems, in the absence of clear definitions, the government has argued that it goes much further.

Under such sweeping interpretations of the CFAA’s vague language, a researcher who tests a job website for discrimination by using false first names when registering a user account would be committing a federal crime if the website has a “real name” policy. The Sandvig v. Barr plaintiffs, represented by the ACLU, have argued that this expansive interpretation of the CFAA violates their First Amendment right to engage in harmless false speech.

In a resounding victory for free speech and anti-discrimination testing, the D.C. District Court made clear that the CFAA does not sweep so far. For several reasons, the court ruled, violations of a website’s terms of service cannot be grounds for criminal liability under the CFAA.

First, the public is entitled to notice of criminal laws. As the court recognized, websites’ terms of service can’t provide sufficient notice to users because the terms of service are “often long, dense, and subject to change,” and may be hidden away in fine print or the bottom of a website.

Next, criminal law must be enacted through Congress, and Congress cannot delegate that power to private entities. If the CFAA were interpreted to criminalize violations of websites’ terms of service, the court explained, it would “turn[] each website into its own criminal jurisdiction and each webmaster into his own legislature”—and each website’s terms of service into “a law unto itself.”

Finally, the court determined that interpreting the CFAA to criminalize constitutionally protected speech that happens to violate a website’s terms of service would present a serious threat to the First Amendment. By rejecting such a broad interpretation of the CFAA, the court ensured that the Sandvig v. Barr plaintiffs and others can continue engaging in protected speech without fear of criminal liability.

As access to critical resources such as housing opportunities and job prospects is increasingly governed by opaque algorithms, it is essential that researchers, computer scientists, and journalists be able to test those algorithms for intentional or unintentional discrimination. This decision is therefore not only critical for protecting beneficial research and journalism, but it is also an important victory in the ongoing fight for algorithmic transparency and accountability.

Related Updates

A group of senators in Washington is trying—for the fourth time—to pass dangerous and misguided language that would amend and expand the Computer Fraud and Abuse Act (CFAA), our nation’s notoriously vague anti-hacking law. The language was first floated in 2015, then again in 2016, and again in 2018...

At EFF, we have spent years fighting the Computer Fraud and Abuse Act (CFAA). The law was aimed at computer crime, but it is both vague and draconian—putting people at risk for prison sentences for ordinary Internet behavior. Now, we are asking the Supreme Court...

“Interoperability” is the act of making a new product or service work with an existing product or service: modern civilization depends on the standards and practices that allow you to put any dish into a dishwasher or any USB charger into any car’s cigarette lighter. But interoperability is just the...

The century-old tradition that the Espionage Act not be used against journalistic activities has now been broken. Seventeen new charges were filed yesterday against Wikileaks founder Julian Assange. These new charges make clear that he is being prosecuted for basic journalistic tasks, including being openly available to receive...

The recent arrest of Wikileaks editor Julian Assange surprised many by hinging on one charge: a Computer Fraud and Abuse Act (CFAA) charge for a single, unsuccessful attempt to reverse engineer a password. This might not be the only charge Assange ultimately faces. The government can add more...

While the indictment of Julian Assange centers on an alleged attempt to break a password—an attempt that was not apparently successful—it is still, at root, an attack on the publication of leaked material and the most recent act in an almost decade-long effort to punish a whistleblower and the...

There’s a lot of legitimate concern these days about Internet giants and the lack of competition in the technology sector. It’s still easy and cheap to put up a website, build an app, or organize a group of people online, but a few large corporations have outsized power over the...

Whistleblower Chelsea Manning was released from prison more than a year ago, after former President Barack Obama commuted her sentence for releasing military and diplomatic records to WikiLeaks. But her case still continues, as Manning wants to appeal her original conviction—including one charge under a controversial a federal...

In a letter to Georgia Gov. Nathan Deal, 55 cybersecurity professionals from around the country are calling for a veto for S.B. 315, a state bill that would give prosecutors new power to target independent security researchers. This isn’t just a matter of solidarity among those in the profession...

Despite the full-throated objections of the cybersecurity community, the Georgia legislature has passed a bill that would open independent researchers who identify vulnerabilities in computer systems to prosecution and up to a year in jail. EFF calls upon Georgia Gov. Nathan Deal to veto S.B. 315 as soon as...